Your Instagram Photos Are Leaking


Your phone's Wi-Fi is leaking. It's telling Kyle McDonald, and people like him, where you've been. It might be telling him where you live and where you work, where you go to school, and what websites you're visiting. And although you've probably been blissfully unaware of all this, he's going to throw this data up on a big screen for all to see at this year's Moogfest.

"Sometimes, I just kind of check out what people around me are doing," said McDonald, a programmer and multimedia artist. "Sometimes that means knowing what websites they're on, but with non-HTTPS websites, you can also see what pages they're looking at."

Your phone's greatest Wi-Fi weakness is in the "probe request frame," which checks to see if a local Wi-Fi network is one your device already knows about, McDonald said. That often contains a list of past networks the phone has connected to, and because a lot of networks have informative names, it can reveal where you spend your time, he said.

Beyond that, if you're on an unsecured network, your Web page requests go out in the open, although if you're lucky, the pages themselves will be encrypted.

"My research indicates that Instagram sends photos over the air unencrypted. Just this evening,  I did a 'quick sniff' of myself scrolling through Instagram,"  McDonald said.

While Instagram uses secure HTTPS for API calls, security research has shown that photo URLs are unencrypted. The company is currently working on switching photo URLs to HTTPS, which would foil eavesdroppers in that particular case. But there's still a lot of data your phone will be leaking.

Who's Watching You?
You're probably not being surveilled by another patron at Starbucks, unless you're unlucky enough to be drinking coffee near McDonald. But "it's absolutely certain that everybody is being surveilled all the time" by some entity, he said. (That could be network managers, ISPs, wireless carriers, or the government, for instance.)

He also pointed out other ways Wi-Fi leakage can be used without your permission: there's a company called Nomi that uses your phone's Wi-Fi to track your location in a store, without telling customers they're being tracked. Nomi settled with the FTC last year about not offering a promised opt-out in stores using its system, although it still doesn't promise it will tell you if you're being sniffed.

"It's worth bothering about if you care about being yourself," McDonald said. "It's kind of hard to go back to not caring about this. When you know you're leaking data, you act differently and you present yourself differently."

At their Moogfest installation called "The Wi-Fi Whisperer," McDonald and Surya Mattu will be collecting data from everyone on the public Wi-Fi network, as well as anyone who passes by the installation. A speaker will whisper key tidbits, such as "an Instagram image is being downloaded right now," and four monitors will run Google searches based on the data, showing how easy it is to connect it to personal information. On an associated website, McDonald will ask poll questions based on data from participants who have agreed to share it: "do they seem dangerous? Are they a dog person? Do they own a car?"

McDonald's past projects have often involved crowdsourcing and social networking, and he's borrowing some ideas here from his last project (shown above), which crowdsourced annotations of 12 hours of video. Here, he's using the crowd to choose what the sniffed information "means."

So how do you protect yourself? Apple devices are somewhat better than Android 5 devices at probe request privacy, according to a paper from Xerox PARC. The jury seems to still be out on Android 6. Turn off your Wi-Fi unless you really need it, McDonald says. Don't connect to networks that don't require a password. And if you're still worried, install a VPN (virtual private network) on your phone. We have a rundown of the Best VPN Services showing which ones have mobile clients.

Cellular networks are much harder to sniff, although of course the NSA can look at pretty much any network it wants to, McDonald said.

PCMag is a sponsor of Moogfest, running from May 19-22 in Durham, NC. Buy tickets here. Wi-Fi Whisperer may appear at other festivals, McDonald said.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    The Foo Show is already exploring the future of virtual media

    But it’s also already changing virtual reality — and it could give us one of our first cyber stars.The Foo Show is a new virtual reality series that is going to kick into full, weekly production this summer, and it has me convinced that gaming isn’t the only form of entertainment that will thrive on this new platform.
  • 5300c769af79e

    Sapho Gives Enterprise Applications A Millennial-Friendly Makeover

    Traditional enterprise applications are the cornerstone of many an IT infrastructure, but when you put them next to the AI on your mobile phone -- Siri or Google Now -- they seem antiquated and not very user friendly.Indeed, Salesforce's revenues are growing at a fast pace, while sales of on-premises enterprise software are hurting.
  • 5300c769af79e

    Survey: In-App Customer Support Is a Winner

    Consumers want mobile apps with good in-app customer support, suggest results of a survey Helpshift released last week.The survey revealed the following: "Mobile app reviews and ratings are part of a company's brand reputation," said Cindy Zhou, principal analyst at Constellation Research.
  • 5300c769af79e

    Facetune 2 App Debuts Live Face Editing

    Already the top paid photo-editing app in the App Store, Facetune lets you not only fix obvious issues like blemishes and flash-reddened eyes, but also whiten teeth and reshape heads.The company behind Facetune, Lightricks, also makes Enlight (an Apple Best of 2016 award runner-up), an all-around mobile photo editor with Photoshop-like layer capabilities.